[00:13.280 --> 00:15.760]  All right, everyone, welcome back.
[00:16.080 --> 00:18.660]  If you're just joining us here in the AppSec Village,
[00:18.660 --> 00:22.100]  I hope you are ready for a fantastic talk.
[00:22.100 --> 00:24.780]  If you're still hanging around from the last talk,
[00:24.780 --> 00:27.100]  glad to have you back. This is going to be awesome.
[00:27.180 --> 00:30.840]  I wanted to take a few minutes to thank everybody
[00:30.840 --> 00:35.380]  who helped to put on DEF CON this year.
[00:35.440 --> 00:38.540]  I know this has been very challenging for people.
[00:38.540 --> 00:41.060]  It's challenging for us at home.
[00:41.060 --> 00:44.260]  It's doubly challenging to bring
[00:44.680 --> 00:48.240]  a great conference experience to DEF CON.
[00:48.240 --> 00:50.260]  And we really hope that comes through.
[00:50.260 --> 00:53.300]  Also take a minute to thank the AppSec Village.
[00:53.320 --> 00:56.500]  Some people have put in amazingly long hours
[00:56.500 --> 00:58.860]  to make this stuff happen.
[00:58.940 --> 01:02.020]  And we want to thank them as part of that.
[01:02.540 --> 01:04.820]  Additionally, if you want to get a shirt,
[01:04.820 --> 01:07.440]  head over to the AppSec Village website.
[01:07.440 --> 01:09.060]  You can purchase your shirt there
[01:09.060 --> 01:15.060]  for the second incarnation of the AppSec Village.
[01:16.280 --> 01:18.440]  So for our next talk, we've got Paul Abar
[01:18.440 --> 01:22.760]  and Stanislas Malveaux talking to us
[01:22.760 --> 01:25.820]  about turning the offensive security mindset
[01:25.820 --> 01:28.820]  into a developer's toolbox.
[01:29.960 --> 01:32.440]  Hi. Hello, everyone.
[01:32.440 --> 01:35.200]  Thanks for joining our presentation,
[01:35.200 --> 01:37.920]  which is going to be today about our journey
[01:37.920 --> 01:42.940]  into turning offsec mindset to developer's toolset.
[01:43.560 --> 01:47.360]  This presentation, we're going to be two of them doing it.
[01:47.680 --> 01:51.300]  And it's going to be in what we can say three parts.
[01:51.420 --> 01:54.240]  First one is going to be about a tool
[01:54.240 --> 01:56.840]  that we created inside our company,
[01:56.840 --> 01:58.580]  which is called ChopChop.
[01:58.580 --> 02:01.000]  And we will come to what happened,
[02:01.000 --> 02:03.480]  what was the context, what was the need for it,
[02:03.480 --> 02:05.620]  and that we're going to explain what happened.
[02:06.100 --> 02:08.860]  The second one is how did we want to
[02:09.480 --> 02:12.940]  broaden our audience into having more and more
[02:12.940 --> 02:15.920]  and more people using it, and especially developers.
[02:16.160 --> 02:17.820]  And the last part is going to be the demo
[02:18.340 --> 02:20.160]  that we're going to do with Stanislas,
[02:20.160 --> 02:23.200]  who is here just next to me, and who's going to do it.
[02:23.220 --> 02:25.860]  So three parts in trying to explain our journey
[02:25.860 --> 02:29.020]  into how we tried at least to achieve it
[02:29.020 --> 02:31.200]  and some of the mistakes, drawbacks,
[02:31.200 --> 02:33.000]  and things that we learned on the way.
[02:33.000 --> 02:35.740]  So hopefully, we hope that you're going to learn
[02:35.740 --> 02:37.560]  something about it.
[02:38.160 --> 02:40.020]  All right, let's start.
[02:40.520 --> 02:44.760]  This graph, we actually took it from CVE details.
[02:44.760 --> 02:47.560]  And it just shows the number of vulnerabilities
[02:47.560 --> 02:50.280]  and numbers of CVEs that we got
[02:50.960 --> 02:54.840]  starting from a couple of years back to basically now.
[02:54.840 --> 02:56.880]  So we took this graph last year,
[02:56.880 --> 03:01.960]  and we can realize that between 2016 to 2017,
[03:01.960 --> 03:04.300]  the number of CVEs just doubled.
[03:05.060 --> 03:07.220]  And this is something that we can see.
[03:07.220 --> 03:10.560]  Every day and every week, we get new vulnerabilities coming in.
[03:10.560 --> 03:13.920]  We get Oracle built-in, which is just full,
[03:13.920 --> 03:16.140]  and hundreds of vulnerabilities are inside.
[03:16.140 --> 03:18.480]  We also get built-in of Microsoft,
[03:18.480 --> 03:22.060]  which are just showing up hundreds of vulnerabilities,
[03:22.060 --> 03:24.440]  or let's say dozens of vulnerabilities each month.
[03:24.440 --> 03:26.600]  And this is something that's growing, obviously,
[03:26.600 --> 03:29.020]  and we're hearing a lot about this.
[03:29.060 --> 03:31.760]  And in the last couple of days, last couple of weeks,
[03:31.760 --> 03:35.280]  we got a number of vulnerabilities during the lockdown,
[03:35.280 --> 03:38.500]  which was just massive, and especially critical vulnerabilities.
[03:38.500 --> 03:40.940]  So this is something that we can feel,
[03:40.940 --> 03:44.020]  and this is getting really, really big.
[03:44.380 --> 03:46.540]  And when we're taking those numbers,
[03:46.540 --> 03:49.860]  we realize that just by dividing it by 52,
[03:49.860 --> 03:53.200]  the number of weeks that we have per year,
[03:53.200 --> 03:58.480]  we realize we get something like 319 new vulnerabilities.
[03:58.480 --> 04:02.660]  And this is the number of new vulnerabilities that we get per week.
[04:02.660 --> 04:06.320]  And this is huge, huge for a team to just realize
[04:06.320 --> 04:09.560]  that we do have to process all this information.
[04:09.560 --> 04:15.660]  So bear in mind that we are not affected by all those vulnerabilities at the time,
[04:15.660 --> 04:19.340]  but it really depends on your context, on our context,
[04:19.340 --> 04:22.420]  on your customer's context, and so on.
[04:22.420 --> 04:26.900]  But this is something, some information that needs to be digested by your teams
[04:26.900 --> 04:30.580]  to just realize if you're affected or not,
[04:30.580 --> 04:32.680]  and if you're vulnerable to it or not.
[04:32.680 --> 04:36.760]  And this is a huge thing to actually realize and to process,
[04:36.760 --> 04:41.380]  especially depending on the size of your team.
[04:42.000 --> 04:46.620]  And usually when we get a new vulnerability, like the MS17010,
[04:46.620 --> 04:51.880]  or let's say the new vulnerability for the DNS remote card execution on Microsoft,
[04:51.880 --> 04:53.780]  which happened a couple of weeks ago,
[04:53.780 --> 04:58.980]  we usually get the management, because they hear a lot about this on Twitter,
[04:58.980 --> 05:02.180]  on specific magazines, on specific websites,
[05:02.180 --> 05:03.920]  and they actually hear about like this,
[05:03.920 --> 05:07.100]  and there's like a really big buzz around those vulnerabilities.
[05:07.100 --> 05:10.840]  And usually they're coming to the security team and just asking,
[05:10.840 --> 05:15.620]  all right, are we affected by this vulnerability or this other one that we heard about?
[05:16.280 --> 05:20.160]  And this is something that, well, we can understand it, obviously.
[05:20.160 --> 05:25.060]  And the problem with this is we get to the point where the security team is overwhelmed
[05:25.060 --> 05:29.740]  by the number of new findings that happen each day.
[05:29.740 --> 05:33.660]  And you get like a backlog, which is full of things that you need to process,
[05:33.660 --> 05:36.800]  and it turns out that the management is coming and coming and coming again
[05:36.800 --> 05:39.820]  to just like ask if we are vulnerable to this,
[05:39.820 --> 05:43.680]  to just answer to the management, to the executive, and so on.
[05:43.680 --> 05:47.620]  So something to bear in mind, and this is part of the context that we are in
[05:47.620 --> 05:53.160]  and why we actually had like this old tool ID, and we started like getting this.
[05:53.160 --> 05:56.200]  So the context was based on this.
[05:56.820 --> 06:00.360]  So the problematics we had was something circa 2016,
[06:00.360 --> 06:04.240]  when we started having like this kind of philosophy and mindset.
[06:04.240 --> 06:10.560]  And the idea was we had thousands of servers and domains that had to be scanned daily.
[06:10.620 --> 06:15.660]  We wanted to scan them to basically for statistics reason, KPI,
[06:15.660 --> 06:21.300]  and having some like fresh data, because obviously as soon as you do a penetration test
[06:21.300 --> 06:26.440]  or any kind of testing, we can consider the test outdated a couple of hours
[06:26.440 --> 06:28.620]  or let's say a couple of days afterwards.
[06:28.620 --> 06:34.220]  So we wanted to have like fresh data all the time, and daily fresh data.
[06:34.440 --> 06:41.460]  Second of all is we did not have direct access to the servers in some specific situations.
[06:41.460 --> 06:47.800]  And this was based because the servers were materialized, because it was managed by other entities,
[06:47.800 --> 06:50.120]  and a couple of other reasons that we had.
[06:50.120 --> 06:54.480]  So we didn't have like SSH access on all the machines all the time.
[06:54.480 --> 06:59.420]  So this is why we needed to have like another way into assessing the security of the applications
[06:59.420 --> 07:05.280]  that were exposed on the internet, inside as well in the network,
[07:05.280 --> 07:08.420]  and really we had like a really big context with this.
[07:08.420 --> 07:13.980]  And we can see that the situation is quite pretty similar to what we can call black box penetration testing,
[07:13.980 --> 07:18.600]  which means that we don't have like administration access to the server,
[07:18.600 --> 07:22.680]  and that we need to like find other ways to qualify and to have an ID
[07:22.680 --> 07:26.900]  if we are vulnerable to this specific value.
[07:27.200 --> 07:30.500]  The tech landscape that we had was also unclear.
[07:30.720 --> 07:37.740]  In 2016, 2017, there were a lot of vulnerabilities, especially with WebDAV, if you can remember.
[07:37.740 --> 07:41.680]  It was like quite a hot topic at the time, but also with struts,
[07:41.680 --> 07:46.540]  because there were a couple of critical vulnerabilities which happened in a couple of days.
[07:47.220 --> 07:52.420]  So these were the things where, okay, there's a huge vulnerability with struts.
[07:52.440 --> 07:55.100]  Are we vulnerable to it? Yes, no.
[07:55.100 --> 08:01.200]  And can we quantify the number of servers which might be potentially vulnerable to this?
[08:01.200 --> 08:04.600]  And the last point, but not least, is interesting.
[08:04.600 --> 08:08.440]  And speaking of which, it's like this lean security, all right?
[08:08.440 --> 08:15.340]  And it's the idea of ability to perform checks every time, so again and again.
[08:15.340 --> 08:19.580]  So basically, this kind of like loop, this lean loop that we can have,
[08:19.580 --> 08:23.020]  where we would be able to like spot security regression.
[08:23.680 --> 08:28.620]  And this remembers like a cool anecdote, if we can say it this way.
[08:28.620 --> 08:34.520]  There's one company, quite big company, having a bug bounty program.
[08:34.940 --> 08:42.660]  And after speaking with them, they actually told us that they paid some really good bounty
[08:42.660 --> 08:48.280]  for a specific researcher who found remote code execution on some of the production servers.
[08:48.280 --> 08:49.620]  They fixed it.
[08:49.780 --> 08:55.980]  But unfortunately, a couple of weeks later, they redeployed the same vulnerable component.
[08:55.980 --> 08:58.920]  And another bounty researcher found it.
[08:58.940 --> 09:03.040]  And they had to pay twice for the same vulnerability that they had,
[09:03.040 --> 09:07.180]  that they had already patched, and that they already paid one researcher for it.
[09:07.180 --> 09:10.360]  And this is what I'm going to call security regression.
[09:11.340 --> 09:16.160]  When we're taking the tech and like the developer landscape,
[09:16.160 --> 09:21.520]  unit testing is actually one of the foundations of any kind of like new development.
[09:21.520 --> 09:29.400]  And I think that like this specific mindset and security regression should definitely be something
[09:29.400 --> 09:37.620]  that we could put on our top priority, just to make sure that we get all those regressions as soon as possible.
[09:37.920 --> 09:43.020]  We have everything automated right now. We do have like a lot of pipelines for our developers.
[09:43.020 --> 09:45.880]  Everything is going faster and faster and faster.
[09:45.880 --> 09:49.780]  And I think that we can improve our way into this.
[09:49.780 --> 09:55.060]  And this is some of the reasons why we created our tools, and we wanted to tackle this issue.
[09:55.060 --> 09:58.640]  Security regression was one of the big parts.
[09:59.000 --> 10:00.780]  So this was our context.
[10:01.560 --> 10:07.220]  The needs that we have, so needs from the field, and this was again from like 2016,
[10:07.220 --> 10:14.140]  we had to assess new vulnerabilities, new risks coming in, and we had to do this quickly.
[10:14.140 --> 10:21.180]  So yeah, 2017, we had Struts, we had RCE, so Remote Code Execution on Drupal.
[10:21.260 --> 10:25.960]  We had WebDAV, we had like lots, a lot of things happening, obviously.
[10:25.960 --> 10:30.200]  And we had to process this as fast as we could.
[10:30.360 --> 10:36.280]  So this was one thing. The other one was, we had like a small team working on this.
[10:36.400 --> 10:40.100]  When I'm speaking of small teams, it was three to four people.
[10:40.100 --> 10:46.640]  All of them were all security-oriented, which is really important for the rest of the journey,
[10:46.640 --> 10:50.240]  because this started introducing some bias,
[10:50.240 --> 10:55.780]  which means that we were security people working with security tools that we wrote,
[10:55.780 --> 11:00.980]  and we were more or less like in our circle and in our comfort zone,
[11:00.980 --> 11:06.840]  which means that when we started and wanted to deploy to other population and other kind of people,
[11:06.840 --> 11:12.140]  developers, devops, it turns out that we had some interesting gap, I would say,
[11:12.140 --> 11:19.200]  and those bias that we introduced, we're going to try to give you the mistakes and how we tackle these issues.
[11:19.200 --> 11:21.860]  But never mind, we will come back to this later on.
[11:22.420 --> 11:27.740]  So we needed a tool which would be fast, so something where we could just say,
[11:27.740 --> 11:33.520]  okay, here is the new vulnerability, run it across all our parameters and see if we get a hit.
[11:33.520 --> 11:36.840]  The second one was having something reliable.
[11:36.840 --> 11:42.240]  And when we say reliable, it's mostly interesting for the deterministic return,
[11:42.240 --> 11:49.800]  which means that if we would run the tool twice, we would make sure that if it hits, it would hit again.
[11:50.080 --> 11:55.600]  So there would be nothing random in the processing.
[11:55.600 --> 11:59.440]  So we would know exactly how the rules would be triggered.
[11:59.520 --> 12:04.000]  And if we would run it twice, we should have the same output, obviously.
[12:04.260 --> 12:08.280]  And the last point, but not least, would be no false positives.
[12:08.480 --> 12:12.600]  So it's interesting because we need to find like a threshold, right?
[12:12.600 --> 12:15.040]  We need to have like a tool super fast.
[12:15.040 --> 12:20.560]  But on the other hand, we don't want any false positives, which is really hard to combine all together.
[12:21.580 --> 12:27.540]  So it's two criteria, which unfortunately don't really work together.
[12:27.740 --> 12:32.520]  But we think that we did quite a great job, and this is something that we managed to do.
[12:32.620 --> 12:37.740]  And considering that a hit, chop chop hit, would be a real hit,
[12:37.740 --> 12:41.580]  which means that if we get something in the output, in the console output,
[12:41.580 --> 12:48.640]  we would have to open an incident, call someone, or start doing like an immediate action, right?
[12:48.640 --> 12:52.280]  And not having like a lot and lot and lot information to process.
[12:52.360 --> 12:56.160]  So really trying to like do some kind of like sniper thing,
[12:56.160 --> 13:00.120]  and just making sure that we get to what's really valuable.
[13:00.260 --> 13:04.640]  So those were our needs, and yeah, trust me, we had a lot of them.
[13:05.660 --> 13:12.760]  So if we can take an image, an analogy, it would be like more or less like going to the jungle, right?
[13:12.760 --> 13:16.320]  And it would be like something where we would just have like a machete,
[13:16.320 --> 13:22.140]  and like start just like chopping trees to try to like create a path in like the jungle,
[13:22.140 --> 13:25.000]  so that we could reach our destination point.
[13:25.020 --> 13:27.340]  But this was like more or less the case.
[13:27.360 --> 13:32.220]  As you saw beforehand, it was more or less like an approach of like black box testing,
[13:32.220 --> 13:36.040]  where the tech landscape was a bit unclear.
[13:36.140 --> 13:42.060]  We didn't exactly know what we were doing, and what we wanted to do is like creating hypotheses,
[13:42.060 --> 13:47.220]  and trying to see if it would be valuable for our context.
[13:47.220 --> 13:50.620]  And making sure that the tool that we released, and that we get,
[13:50.620 --> 13:53.700]  would be something also valuable for other organizations,
[13:53.700 --> 13:57.300]  so that they could customize it for their own environments.
[13:57.300 --> 14:02.140]  This was like mostly like the whole soul of the application.
[14:02.140 --> 14:06.040]  So yeah, this analogy, really the analogy of jungle,
[14:06.040 --> 14:09.720]  and having something where we would have to like start chopping trees,
[14:09.720 --> 14:13.380]  and making sure that we're not in danger.
[14:14.760 --> 14:17.860]  So we were saying chop-chop, chop-chop, and what does it mean?
[14:18.460 --> 14:21.700]  It's actually a funny name, and it's something coming from Cantonese,
[14:21.700 --> 14:26.920]  which means hurry, and suggest to do something like without delay and right now.
[14:26.920 --> 14:32.940]  So we thought the name was interesting, and exactly what was like the spirit of the tool.
[14:32.940 --> 14:34.840]  So this is why we called it chop-chop.
[14:34.840 --> 14:39.600]  We wanted to have like a tool where if an emergency alert was coming in,
[14:39.600 --> 14:44.870]  we would be able to like respond right now, and having results in no time.
[14:45.160 --> 14:49.100]  So it was the whole soul, and this is why we kept the name chop-chop,
[14:49.100 --> 14:51.420]  and released the tool with this name.
[14:51.960 --> 14:56.820]  The tool initially back in 2017 was written with Python.
[14:56.820 --> 15:00.720]  We started with Python 2.7, then migrated to Python 3.
[15:00.720 --> 15:04.420]  We got everything working, and following the upcoming month,
[15:04.420 --> 15:08.720]  we started getting plugins that the security team mostly wrote.
[15:08.720 --> 15:12.060]  And in the end, we came up with 80 plugins.
[15:12.060 --> 15:15.220]  So 80 things processing, which were done.
[15:15.440 --> 15:20.620]  Going from trying to find if there was like a .git folder exposed on the internet,
[15:20.620 --> 15:23.420]  or let's say in the web root, accessible in the web root,
[15:23.420 --> 15:27.180]  to also like checking if the RDP port was also open,
[15:27.180 --> 15:30.660]  checking if the port was here, and was just responding.
[15:30.720 --> 15:33.700]  A couple of things like this, and we started like creating plugins,
[15:34.300 --> 15:36.580]  which were specific to our environment.
[15:36.580 --> 15:41.420]  Those ones were not released, but this gives you the idea of the flexibility of the tool.
[15:41.420 --> 15:45.580]  So taking a domain name or an IP, and afterwards doing some processing.
[15:45.580 --> 15:48.020]  And any kind of processing, basically.
[15:48.440 --> 15:52.640]  As I said, it was mostly doing things with HTTP,
[15:52.640 --> 15:56.120]  and this was like the whole soul of the application at first,
[15:56.120 --> 16:01.660]  but then afterwards, people started integrating new protocols and new modules
[16:01.660 --> 16:04.200]  to start interacting with other services.
[16:05.500 --> 16:10.080]  So we had everything running, the ability to run scans daily,
[16:10.080 --> 16:12.640]  with what we called deterministic wizards,
[16:12.640 --> 16:16.380]  which was one of the things we were really eager to have.
[16:16.380 --> 16:21.940]  So daily scans, basically every day, and allowed us to answer two questions.
[16:21.940 --> 16:24.520]  The first one would be to answer to the management,
[16:24.520 --> 16:26.700]  are we affected? Yes, no.
[16:26.700 --> 16:31.040]  And then afterwards, being able to quantify the number of servers,
[16:31.040 --> 16:35.820]  or number of IPs, which were actually affected with this specific vulnerability.
[16:36.260 --> 16:38.880]  Is it going to be one? Is it going to be 100?
[16:38.880 --> 16:42.540]  Is it going to be dozens, hundreds, thousands?
[16:42.540 --> 16:45.480]  Is it going to be all the servers at once?
[16:45.500 --> 16:49.600]  So it's actually quantifying the results, and we were able to do this.
[16:49.600 --> 16:54.040]  So we would count every console output, every line we would get,
[16:54.040 --> 16:58.160]  and we would have an idea of how many servers would be affected.
[16:58.160 --> 17:03.480]  And this allowed us, and this saved us a lot of time.
[17:05.040 --> 17:08.740]  As I said, ChopChop initially was written in Python,
[17:08.740 --> 17:11.720]  and this is an example of a plugin that we wrote,
[17:11.720 --> 17:14.900]  and this one is to try and check,
[17:14.900 --> 17:21.320]  ensure that the git.git repository, .git folder, is not exposed in the web route.
[17:21.340 --> 17:23.620]  So what it's going to do, it's quite simple,
[17:23.620 --> 17:29.420]  it's going to test on port 80 and on port 443, in HTTP and HTTPS,
[17:29.420 --> 17:34.220]  and it's going to check one specific path, which is going to be .git slash config,
[17:34.220 --> 17:38.580]  and it's going to check for one specific word to appear in the HTTP response.
[17:38.720 --> 17:43.620]  Based on this, we're going to have a severity, which ranks from 0 to 10.
[17:43.620 --> 17:46.780]  10 is going to be critical, 0 is going to be informational,
[17:46.780 --> 17:51.320]  quite similar to what we can find with the CVSS code, something similar.
[17:51.320 --> 17:55.160]  Again, this thing, we will talk about this later on,
[17:55.160 --> 18:00.260]  but we changed it in the new version of ChopChop for particular reasons,
[18:00.260 --> 18:05.320]  and because we thought that having this specific range would be way too far
[18:06.000 --> 18:09.420]  and way too lot of information to process,
[18:09.420 --> 18:14.700]  and based on the audience we wanted to reach, this is something that was a bit useless.
[18:14.740 --> 18:16.600]  But we will come back to this.
[18:16.600 --> 18:24.800]  We had a description, ensuring that the git repository is not accessible from the web root,
[18:24.800 --> 18:28.020]  and one fix, what we can call remediation.
[18:28.400 --> 18:32.980]  And it was really important for us because afterwards, after using it and using it,
[18:32.980 --> 18:38.100]  we started getting people and non-security people using the results of ChopChop.
[18:38.100 --> 18:43.680]  And it turns out that some of them were lost by just having an Excel file or anything like this,
[18:43.680 --> 18:47.880]  just an output, ChopChop output, just didn't know exactly what to do with this.
[18:47.880 --> 18:52.200]  So we started implementing remediations to give some insights and some inputs,
[18:52.200 --> 18:57.660]  so that people could work on their own by just giving them a bunch of pieces
[18:57.660 --> 19:01.220]  so that they could start working on the remediation and mitigation.
[19:01.640 --> 19:07.640]  So this is the kind of plugins that we had, written in Python, giving you some information,
[19:07.640 --> 19:12.480]  so you just had to inherit from the plugin class that we had.
[19:12.480 --> 19:19.400]  And afterwards, you would just have to override a couple of things and you would be start to go.
[19:20.740 --> 19:25.720]  Here are some things that we managed to find on production systems.
[19:26.000 --> 19:31.880]  So for example here, we managed to get repository access for SVN with some files, wc.db,
[19:31.880 --> 19:37.060]  which allowed us afterwards to basically fetch anything from the SVN repository,
[19:37.060 --> 19:40.080]  and afterwards getting the source code and so on.
[19:40.080 --> 19:41.620]  So this was quite problematic.
[19:41.620 --> 19:48.400]  We also had things like htpassword, which was not interpreted by the application server,
[19:48.400 --> 19:52.080]  for some reasons, misconfiguration, things like this.
[19:52.080 --> 19:54.300]  But this is something that we managed to show.
[19:54.520 --> 20:00.500]  And the idea was having hypothesis and trying them across a larger scope,
[20:00.500 --> 20:02.980]  depending on the scope that you have.
[20:02.980 --> 20:08.520]  But this was the idea, having a hypothesis, taking things maybe from the bug bounty,
[20:08.520 --> 20:10.880]  we were speaking about bug bounty beforehand,
[20:10.880 --> 20:16.720]  so just checking things that bug hunters are trying on large scopes.
[20:16.720 --> 20:20.970]  And you will see in the reference that there is a nice talk from James Kettle,
[20:21.500 --> 20:25.940]  Cracking the Lens, which is some research that he did in 2017.
[20:25.940 --> 20:30.560]  It's something quite similar to what we tried as well, and we got inspired.
[20:30.560 --> 20:32.720]  So this is why it's going to be in the references.
[20:32.820 --> 20:37.580]  And if you haven't seen the article, feel free to reach out and just check it out.
[20:37.580 --> 20:39.060]  It's absolutely awesome research.
[20:39.060 --> 20:42.540]  Even if it's 2017, absolutely awesome and just gold.
[20:42.540 --> 20:46.400]  So feel free to get it afterwards, and you will get it in the slides.
[20:46.460 --> 20:48.280]  So these were some things that we were trying.
[20:48.280 --> 20:50.440]  All right, maybe it's not going to be interpreted.
[20:50.520 --> 20:51.720]  Well, what do we lose?
[20:51.720 --> 20:55.840]  Just maybe writing a couple of lines of code and seeing if it's going to match
[20:55.840 --> 20:57.820]  and if it's going to trick somewhere.
[20:58.420 --> 21:02.760]  Fortunately for us, it tricked, and we managed to remediate it in a couple of hours.
[21:03.280 --> 21:06.340]  But also, internal information disclosure.
[21:06.340 --> 21:10.540]  So here we had the server status page, which gave us some information.
[21:10.540 --> 21:12.640]  Nothing super critical, but still.
[21:12.640 --> 21:20.140]  It could give URI, so basically endpoints, and maybe some kind of internal endpoints.
[21:20.140 --> 21:25.380]  But it was also giving some ideas about the IP address range that we were using internally.
[21:25.380 --> 21:30.500]  So those kind of things that we didn't want attackers to have on their hands.
[21:30.500 --> 21:36.220]  We wanted to try this across all our servers again, and finding them.
[21:36.220 --> 21:39.300]  So this is the kind of things that we managed to find.
[21:40.820 --> 21:46.220]  Last but not least, here is, for example, with the wildcard.
[21:46.460 --> 21:51.760]  So basically some cross-domain.xml files, which are way too permissive.
[21:51.760 --> 21:56.280]  Way too permissive, allowing anyone to just craft some payloads
[21:56.280 --> 22:00.400]  and being able to start discussing with our website.
[22:00.400 --> 22:04.520]  Might be afterwards stealing some cookies, stealing some information.
[22:04.520 --> 22:08.060]  And we wanted to just trigger it on all our parameters.
[22:08.060 --> 22:10.740]  This is something that we managed to find.
[22:11.000 --> 22:13.280]  One rule, doing it all.
[22:14.340 --> 22:18.480]  It worked pretty well, and we were really happy with this.
[22:20.320 --> 22:23.760]  So now, what we had was a hypothesis.
[22:23.760 --> 22:31.240]  We had a tool written by a security team, used by security people, and it was working.
[22:31.240 --> 22:33.780]  We were happy, everything was good.
[22:33.900 --> 22:37.140]  But then afterwards, we wanted to try the extra mile.
[22:37.140 --> 22:40.380]  And the extra mile was actually a couple of extra miles.
[22:41.360 --> 22:47.700]  And by saying this is, okay, we had our internal tool, and we wanted to make it available to everyone.
[22:47.700 --> 22:50.900]  And what we mean by everyone is mostly developers.
[22:50.900 --> 22:58.160]  As soon as having a tool, that they could integrate into the pipeline, and in the CI-CD pipeline.
[22:58.160 --> 23:04.260]  So this was our goal, and basically the polar star that we were trying to target.
[23:04.960 --> 23:09.980]  And it turns out that the first issue that we found was actually based on communication.
[23:10.200 --> 23:13.240]  Developers don't necessarily get security things.
[23:13.240 --> 23:14.840]  It's one of the golden rules.
[23:14.840 --> 23:16.840]  But same as the other way around.
[23:16.840 --> 23:22.780]  Which means that we're coming with our needs, we're coming with our ideas, with our beliefs.
[23:23.120 --> 23:24.780]  Developers come with theirs.
[23:24.860 --> 23:29.020]  And it turns out that we need to find a way on how to get a line.
[23:29.440 --> 23:35.840]  We found this interesting thread on Twitter, so we're not shaming anyone or doing any kind of finger pointing.
[23:35.840 --> 23:38.560]  But we think that it's an interesting thing.
[23:39.300 --> 23:47.240]  So we got someone on Twitter basically showing and giving some idea about past experience, and started using acronyms.
[23:47.240 --> 23:53.080]  IR, especially if you're working in security, this is something which stands for incident response.
[23:53.080 --> 23:55.780]  And this is perfectly understandable.
[23:55.980 --> 24:02.280]  But it turns out that in the comments, we got some people where IR didn't mean anything.
[24:02.280 --> 24:08.760]  So people started looking up and found that it was an acronym maybe for infrared cameras.
[24:08.760 --> 24:16.900]  And it's something that if this person doesn't know the acronym, there's some issue with the communication.
[24:16.900 --> 24:21.180]  And we need to find a way into achieving and finding a bridge between them.
[24:21.180 --> 24:27.020]  And the last picture is just showing on the right that everyone is right.
[24:27.520 --> 24:31.160]  Everyone is right based on what they're looking up.
[24:31.160 --> 24:40.320]  But it's just that we need to get those two people aligned to make sure that they can move forward and they can move together in the same direction.
[24:40.540 --> 24:44.080]  Security is not against developers. Developers are not against security.
[24:44.080 --> 24:46.760]  I think both of them can work together.
[24:47.080 --> 24:53.380]  But just trying to get the same beliefs, at least on some very specific topics.
[24:55.040 --> 25:01.560]  So yeah, interesting things about the communication channel and speaking the same language.
[25:02.200 --> 25:06.340]  And when it comes to security, it comes with a lot of details.
[25:06.340 --> 25:10.040]  SSTI, XSS, XSE, SQLI.
[25:10.040 --> 25:12.680]  But also when we're speaking about CVEs.
[25:12.680 --> 25:16.860]  So we get thousands of CVEs as we saw earlier.
[25:16.860 --> 25:22.160]  But also MS-Beltane, MS-08, MS-067.
[25:22.160 --> 25:25.580]  But we also have a name of vulnerabilities.
[25:25.580 --> 25:28.440]  Heartbleed, Eternalblue, Bluebone.
[25:28.440 --> 25:33.080]  And this is a huge referential that we do have in security.
[25:33.080 --> 25:34.660]  Absolutely crazy.
[25:34.660 --> 25:40.640]  And the thing is, security people are actually losing track of all this.
[25:40.640 --> 25:42.500]  It's so much information.
[25:42.500 --> 25:44.800]  We have so much information to process.
[25:44.800 --> 25:48.280]  So yeah, we have those named vulnerabilities.
[25:48.280 --> 25:49.400]  They have websites.
[25:49.400 --> 25:50.180]  They have videos.
[25:50.180 --> 25:52.660]  They have almost like choreography and things.
[25:52.900 --> 25:57.880]  But also like all the names of vulnerabilities and classes, vulnerability classes that we have.
[25:57.880 --> 26:00.080]  So much information to digest.
[26:00.080 --> 26:05.280]  It's already hard for security people and people working in this for day long, right?
[26:05.280 --> 26:07.680]  And who have been doing their careers in this.
[26:07.680 --> 26:08.980]  But what about developers?
[26:08.980 --> 26:11.620]  How can developers keep up with this information?
[26:12.080 --> 26:17.420]  When we just like giving them a report, some of them might just be, I'm just completely lost.
[26:17.420 --> 26:18.380]  I'm just completely lost.
[26:18.380 --> 26:19.620]  I have no idea what this means.
[26:19.620 --> 26:26.820]  I can see this presentation, but I might look like a fool if I just ask the question, what is this acronym for?
[26:27.120 --> 26:34.600]  So it's some information that we need to take care of and just making sure that we get the interesting bits to developers.
[26:35.600 --> 26:40.620]  And there's actually another question, and we're not getting to the debate, maybe afterwards in the Discord.
[26:40.660 --> 26:44.120]  But should developers keep up with all this information?
[26:44.680 --> 26:45.540]  Should they?
[26:45.660 --> 26:46.700]  And I don't know.
[26:46.700 --> 26:49.320]  But I don't have the information so far.
[26:49.320 --> 26:50.140]  I don't know.
[26:50.140 --> 26:56.200]  I have my opinion, but I'm happy to discuss and to chat about this afterwards in the Discord with you all.
[26:56.760 --> 27:02.940]  So a lot of information of process, a lot of vocabulary that we need to take care of.
[27:04.760 --> 27:16.700]  The second part was, all right, if we get a chop-chop hit and the application is flagged because of some reasons, maybe some plugins got in and so on.
[27:16.700 --> 27:17.720]  Now what?
[27:17.720 --> 27:20.420]  Now what is going to do the developer?
[27:20.960 --> 27:22.200]  I don't know.
[27:22.400 --> 27:24.360]  It just is that there's a URL.
[27:24.360 --> 27:26.140]  It's giving some information.
[27:26.140 --> 27:27.680]  But what is he going to do about this?
[27:27.680 --> 27:28.860]  What is the risk?
[27:28.880 --> 27:32.740]  And what is the kind of remediation he can put in place to mitigate this?
[27:32.740 --> 27:35.720]  But he needs to understand the risk and what can happen.
[27:36.140 --> 27:39.880]  What are the bad things that can happen with this specific thing?
[27:39.880 --> 27:44.280]  And in his environment and in his context, right?
[27:44.500 --> 27:47.060]  So security vocabulary is one thing.
[27:47.060 --> 27:48.800]  But remediation is another one.
[27:48.800 --> 27:56.040]  And bringing remediation in the tool and giving this capability is actually like bringing assistance to the developers.
[27:56.040 --> 28:00.260]  Which means that we're going one step forward to them, towards them.
[28:00.260 --> 28:04.300]  And what's going to happen is developers are going to come to us as well afterwards.
[28:04.300 --> 28:06.840]  And it's going to be a win-win discussion.
[28:06.860 --> 28:12.020]  And everyone's going to be aligned against just having secure application, running production.
[28:12.020 --> 28:14.480]  And everyone's going to be happy with this.
[28:14.480 --> 28:18.180]  So bring anything valuable as soon as you have a hit.
[28:18.180 --> 28:21.340]  And that you have something that's actually triggering in your environment.
[28:21.340 --> 28:24.760]  So it could be a link to whatever, what kind of explanation.
[28:24.760 --> 28:27.920]  It could be like a research document. It could be anything on Twitter.
[28:27.920 --> 28:30.180]  It could be just a thread, whatever.
[28:30.180 --> 28:32.940]  Or it could be also a pointer to internal resources.
[28:33.060 --> 28:36.900]  Do you use the OWASP ASVS, for example?
[28:36.900 --> 28:39.760]  So maybe that could be a link to the specific section.
[28:39.760 --> 28:43.900]  And just referencing it so that developers could start getting information.
[28:43.900 --> 28:47.180]  Developers are super curious as security peeps.
[28:47.180 --> 28:52.100]  So I think it's a good opportunity to have this discussion and this conversation with them.
[28:52.100 --> 28:58.220]  So yeah, just bringing assistance and helping them into achieving better security within their application
[28:58.220 --> 29:01.960]  by giving them as much inputs as we can.
[29:02.920 --> 29:06.170]  Another part is contextualization.
[29:06.560 --> 29:09.900]  And contextualization is also key.
[29:10.160 --> 29:13.090]  Again, I'm not going to go into debate.
[29:13.090 --> 29:18.030]  And I think that this is something like a question that you might have to ask yourself.
[29:18.450 --> 29:23.470]  Should we consider the same criticity if we get a chop-chop hit
[29:23.890 --> 29:26.110]  for one machine which is exposed on the Internet
[29:27.350 --> 29:31.990]  and one machine which is completely air-gapped in a segregated environment
[29:31.990 --> 29:36.610]  where only two people are reaching the application and this specific server?
[29:37.230 --> 29:40.010]  It might be some kind of trade-off that you need to find.
[29:40.010 --> 29:41.650]  Maybe it's finding some balance.
[29:42.310 --> 29:46.510]  Because if you start answering yes, this is exactly the same criticity,
[29:46.510 --> 29:52.110]  the same exploitability, it might just start giving red flags to developers.
[29:52.110 --> 29:54.250]  Because everything is going to be critical.
[29:54.750 --> 29:57.490]  And based on this, developers have a lot to deal with.
[29:57.630 --> 30:00.410]  Production errors. They have a lot of development.
[30:00.410 --> 30:03.950]  They have deadlines. They have a lot of work that they have to do.
[30:03.950 --> 30:07.410]  And if we start getting security tasks on top of it,
[30:07.410 --> 30:09.670]  they're going to start getting overwhelmed.
[30:09.670 --> 30:11.770]  And having too much information afterwards,
[30:11.770 --> 30:14.970]  they're not going to be able to process any of it.
[30:14.970 --> 30:20.870]  So this is why I think it's a trade-off about what we try to achieve with them
[30:20.870 --> 30:24.850]  and what's the image that we want them to perceive from us.
[30:24.850 --> 30:28.310]  So balance and trade-off are now part of the game.
[30:30.650 --> 30:34.670]  Last but not least is about collaboration.
[30:34.750 --> 30:39.050]  And we truly believe that collaboration will empower your organization.
[30:39.050 --> 30:43.990]  And by saying this, it's like finding the best tools to do it.
[30:44.230 --> 30:49.250]  So for example, a lot of people, when we released ChopChop in June,
[30:49.250 --> 30:52.770]  we had a lot of people asking us, what's the difference with Nikto?
[30:52.930 --> 30:59.110]  And we are users of Nikto, we find it absolutely an amazing tool, and it works greatly.
[30:59.110 --> 31:03.210]  But it works greatly especially for security-oriented people.
[31:03.630 --> 31:07.310]  Because it's going to give you usually a lot of output,
[31:07.310 --> 31:09.970]  but afterwards you're going to start to have to dig in.
[31:09.970 --> 31:12.550]  You might have between one line and the other,
[31:12.550 --> 31:16.650]  something which is going to be informational and another one which is going to be critical.
[31:16.650 --> 31:21.890]  But this is going to depend on your experience, on what you think about it,
[31:21.890 --> 31:24.790]  and you're going to have to do those choices on your own.
[31:25.250 --> 31:27.370]  Are the developers going to be able to do it?
[31:27.370 --> 31:31.950]  It might not be possible because they might not know anything about security.
[31:31.950 --> 31:38.630]  So this is why we want to help them by doing some kind of triage in all those findings,
[31:38.630 --> 31:40.750]  and providing them good inputs.
[31:40.750 --> 31:44.530]  So finding the best tools to do this is extremely important,
[31:44.530 --> 31:47.010]  and some of them might be tailor-made.
[31:47.370 --> 31:50.270]  So something definitely to bear in mind.
[31:50.630 --> 31:55.150]  Second of all is making sure that the learning curve that you're going to have,
[31:55.150 --> 31:57.590]  if you're looking for people to collaborate,
[31:57.590 --> 32:04.130]  which means writing new rules, helping, maybe doing a pull request on your project,
[32:04.130 --> 32:06.170]  and doing this kind of collaboration,
[32:06.170 --> 32:11.530]  make sure that the learning curve that people are going to have to start digging in the codebase,
[32:11.530 --> 32:14.030]  that's not going to be something too crazy.
[32:14.650 --> 32:21.570]  Usually, when we speak to developers, they find the security quite mystic.
[32:21.570 --> 32:25.290]  It's like some kind of black magic happening behind the scenes.
[32:25.290 --> 32:28.230]  They're using some weird commands and so on,
[32:28.230 --> 32:35.570]  and this is why if we start putting on the shelf a new application that we want people to start playing with,
[32:35.570 --> 32:37.750]  that they start collaborating with us,
[32:37.750 --> 32:43.050]  we need to make sure that this is mostly friendly to new people coming in security,
[32:43.050 --> 32:45.850]  and writing tools, and writing rules, and so on.
[32:45.850 --> 32:47.530]  So something to bear in mind.
[32:47.910 --> 32:51.290]  And again, this depends on the context where you're in,
[32:51.290 --> 32:54.530]  which means if your developers are using YAML,
[32:54.530 --> 32:56.010]  in this case, go for it.
[32:56.010 --> 33:01.950]  If your users stick with XML for some reasons, because in your context, this is what they use,
[33:01.950 --> 33:03.790]  stick with it and go for it.
[33:03.790 --> 33:06.950]  It's really going to depend on your context,
[33:06.950 --> 33:13.650]  and I think that the last point, discernment and clear thinking for your choices within your organization are key.
[33:13.850 --> 33:16.850]  This is one of the most important things that we learn,
[33:16.850 --> 33:18.610]  is just checking the context,
[33:18.610 --> 33:23.790]  and make sure that the security adapts perfectly to this context within your organization.
[33:23.790 --> 33:27.990]  Because if you're trying to get a bigger audience,
[33:27.990 --> 33:31.470]  and broaden the usage of your tools,
[33:31.470 --> 33:34.070]  you need to actually get them in,
[33:34.070 --> 33:36.810]  and by doing this, you need to look like them,
[33:36.810 --> 33:40.610]  so that they can start getting it without any issue.
[33:41.150 --> 33:44.810]  And last point, but not least, change the posture from no, you can't,
[33:44.810 --> 33:46.530]  to yeah, let's see how to make it.
[33:46.530 --> 33:48.650]  For example, if some people want to use the tool,
[33:48.650 --> 33:51.230]  because they also want to do some monitoring and things,
[33:51.230 --> 33:52.530]  yeah, why not? Why not?
[33:52.530 --> 33:54.530]  They should be able to do this, right?
[33:54.530 --> 33:59.610]  If they start asking questions about new technology, new frameworks that they want to put in,
[33:59.610 --> 34:01.890]  well, obviously there's going to be a balance into,
[34:01.890 --> 34:05.010]  is it something that's good for my company, for my organization?
[34:05.010 --> 34:06.790]  But you need to have this discussion,
[34:06.790 --> 34:09.610]  and not having just really close answers.
[34:10.130 --> 34:14.530]  So that's, we think, some of the keys that we got,
[34:15.710 --> 34:19.130]  and that we managed to see following this development,
[34:19.130 --> 34:23.170]  and trying to broaden the usage of our tools.
[34:23.810 --> 34:26.430]  So this is why we created GoChopChop,
[34:26.430 --> 34:29.990]  and what I'm going to do is give my seat to Stanislas,
[34:29.990 --> 34:32.350]  and he's going to present you the tool,
[34:32.350 --> 34:36.690]  and hopefully make an awesome testing session and demo video.
[34:36.770 --> 34:37.530]  Cheers!
[34:40.630 --> 34:41.970]  All right.
[34:43.810 --> 34:47.050]  Hello everyone, and thank you for watching this talk.
[34:47.050 --> 34:51.330]  I'm Stanislas Malveaux, I'm working currently as an intern,
[34:51.970 --> 34:53.910]  a security intern at Michelin.
[34:54.670 --> 34:59.330]  So I present to you how we created GoChopChop,
[34:59.330 --> 35:03.110]  which is the second version of ChopChop,
[35:03.110 --> 35:05.970]  which Paul presented to you.
[35:06.670 --> 35:09.430]  So, ChopChop, GoChopChop is a command line
[35:09.430 --> 35:13.070]  for dynamic application security testing,
[35:13.070 --> 35:15.310]  and it's written in Golang.
[35:15.310 --> 35:19.790]  Its purpose is to scan several endpoints,
[35:19.790 --> 35:25.350]  and expose services, files, folders, through the web root.
[35:25.570 --> 35:33.230]  And we created the tool so it can be fully configurable by developers,
[35:33.230 --> 35:36.050]  even by non-security people.
[35:36.210 --> 35:39.150]  And I present to you how it works,
[35:39.150 --> 35:43.670]  and how easy it is to modify and add a role, for example.
[35:46.170 --> 35:47.430]  Alright.
[35:48.050 --> 35:53.090]  So, here we are testing our own web application,
[35:53.090 --> 35:56.490]  which is exposed on port 80.
[36:00.010 --> 36:01.690]  Alright.
[36:01.830 --> 36:05.190]  So, for the purpose of the demo,
[36:05.190 --> 36:10.090]  we exposed a git config on the web application.
[36:10.090 --> 36:16.090]  So, we can see here, we did a curl on a web app,
[36:16.090 --> 36:19.230]  and it returns a status code of 200,
[36:19.230 --> 36:23.350]  and a core repository format version, and so on.
[36:23.650 --> 36:29.930]  So, now we're going to try the tool on our own web app.
[36:32.970 --> 36:34.170]  Here.
[36:36.250 --> 36:37.130]  Alright.
[36:37.130 --> 36:42.530]  So, we launched GoJarChat on our URL foobar.com,
[36:42.530 --> 36:48.650]  and it flagged the git config vulnerability,
[36:48.650 --> 36:53.450]  and it gives you a severity level, which is high in our case,
[36:54.290 --> 36:55.570]  a name for the plugin,
[36:55.570 --> 37:01.330]  and a remuneration we can use later to remunerate the vulnerability.
[37:01.330 --> 37:05.510]  So, now we're going to see how to configure ChopChop
[37:06.910 --> 37:10.590]  to make new rules, and how you can configure it.
[37:11.070 --> 37:15.450]  So... no.
[37:15.610 --> 37:16.690]  Alright.
[37:18.210 --> 37:23.070]  So, the rules are written in YAML,
[37:23.070 --> 37:28.570]  and it's very easy to create a new one or modify.
[37:28.570 --> 37:32.130]  So, here, for our example, we have the rule git config,
[37:32.130 --> 37:37.170]  so it will scan the endpoint slash git slash config.
[37:37.430 --> 37:40.690]  We give it a name, so git exposed,
[37:40.870 --> 37:42.570]  a status code of 200,
[37:42.570 --> 37:50.410]  which will scan the HTTP response to see if the HTTP response gives a 200 status code,
[37:50.630 --> 37:58.230]  a match, which is a list of strings the tool needs to find in the HTTP response.
[37:58.230 --> 38:00.550]  So, in our case, we saw it was core.
[38:01.530 --> 38:06.130]  There is other things like no match.
[38:06.130 --> 38:13.670]  No match is a list of strings which needs to not be in the HTTP response.
[38:13.850 --> 38:19.490]  And another one is headers, for example, content-type application-json.
[38:19.830 --> 38:23.350]  And you have to give it a remuneration,
[38:23.350 --> 38:28.590]  so here we say do not deploy .git folder on production servers.
[38:28.590 --> 38:32.630]  A quick description so the developers understand what is going on
[38:32.630 --> 38:37.430]  and why it has a severity level of high.
[38:37.430 --> 38:42.330]  So, here, it verifies that the git repository is accessible from the site
[38:42.330 --> 38:45.830]  and a severity level of high.
[38:45.830 --> 38:52.190]  So, you can easily modify it, for example, high to a low level.
[38:52.190 --> 39:00.610]  Or, for example, if the developers don't really know what to do, we can give FUBAR, for example.
[39:05.070 --> 39:11.390]  So, if we launch it now, it will say,
[39:11.390 --> 39:18.670]  OK, I don't understand FUBAR, you need to give a severity level of informational, low, medium, and high.
[39:18.670 --> 39:23.150]  So, we can modify it again to, for example, low.
[39:23.710 --> 39:24.530]  All right.
[39:24.590 --> 39:32.650]  And if you relaunch it, it will take into account the modification and the severity level goes to low.
[39:32.870 --> 39:37.370]  All right. So, now, we're going to do a new rule.
[39:37.370 --> 39:48.370]  For the sake of the demo, we created a quick HTML page.
[39:51.530 --> 39:57.970]  So, yeah, we see here we created an HTML which says DEFCON rocks.
[39:57.970 --> 40:06.270]  So, I want the tool to flag it and to give us an output on this.
[40:07.070 --> 40:09.110]  All right.
[40:11.550 --> 40:12.910]  OK.
[40:13.410 --> 40:21.450]  So, here, I'm going to scan the main endpoint of the web application.
[40:21.790 --> 40:27.590]  So, what we check is we give a name to the rule, so DEFCON rule here.
[40:27.590 --> 40:32.890]  We need a status code of 200 and we need to match the string DEFCON.
[40:32.890 --> 40:37.290]  So, if the DEFCON is found in the HTTP response, it will flag.
[40:37.330 --> 40:40.470]  And a remediation and description and the severity.
[40:40.930 --> 40:42.670]  So, we can test it.
[40:45.530 --> 40:46.690]  All right.
[40:47.970 --> 40:54.650]  And here, you see the tool flagged it on the main endpoint, the severity level and the remediation.
[40:55.830 --> 40:58.410]  All right. That's pretty much it.
[40:59.390 --> 41:03.790]  Paul will finish this presentation and thanks for listening.
[41:06.690 --> 41:08.710]  Welcome back.
[41:09.430 --> 41:13.310]  Thank you, Stanislas, for the demo.
[41:14.110 --> 41:16.390]  So, what we learned from this.
[41:16.430 --> 41:23.570]  So, from going from an offensive mindset to creating a tool used by developers.
[41:23.570 --> 41:37.870]  And what we learned was things that finding the same language, same vocabulary and speaking the same with the same concept is extremely important.
[41:38.350 --> 41:44.830]  Second of all is make sure that they get your points and that you get theirs as well.
[41:44.830 --> 41:53.030]  Which means that if you have some beliefs, if you have some things and reasons that you think that the application should be secured this way.
[41:53.030 --> 41:58.830]  Just make sure that you also understand what are their problematics in terms of development side.
[41:58.830 --> 42:01.990]  Maybe it can be something based on the organizations.
[42:01.990 --> 42:05.050]  But this is something that has to be done, definitely.
[42:05.050 --> 42:13.390]  It has to be done and having you to be conversational in two channels, basically.
[42:13.890 --> 42:18.310]  Third point is bringing assistance will lead to better collaboration.
[42:18.310 --> 42:25.310]  So, as Stanislas showed you before, by giving some remediations.
[42:25.310 --> 42:39.610]  This could be giving links, giving information to the ASVS OWASP, to a bunch of resources and trying to give more information to the people so that they could secure it in a timely manner.
[42:39.610 --> 42:50.150]  This is something that bringing this will actually help them and helping them will bring definitely more joy and they're going to be able to help you as well if you're looking for something.
[42:51.310 --> 42:58.070]  Again, don't underestimate collaboration to broaden your audience based on your context.
[42:58.370 --> 43:06.370]  If the developers that you have that you're trying to target are using XML and you're coming with something in YAML, this is not going to work.
[43:06.370 --> 43:07.790]  The opposite as well.
[43:07.790 --> 43:15.850]  Because everything which might be shiny or anything like this might not be the real solution and you're not going to bring anything to them.
[43:15.850 --> 43:18.370]  So, try to bring something super valuable.
[43:18.970 --> 43:21.070]  This is extremely important.
[43:21.070 --> 43:27.910]  And last point, but not least, that we have on our checklist is the contextualization in the trade-off.
[43:28.010 --> 43:29.650]  Having this balance.
[43:29.650 --> 43:42.250]  As I showed you before, Stanislas, during the presentation, you are able to change, for example, the severity of one specific finding if your organization has a specific context.
[43:42.550 --> 43:50.970]  For this specific trigger, this specific hit, especially with the GitExpo, I would not recommend putting it in low.
[43:50.970 --> 43:56.130]  But this is something that we can do and programmatically everyone can do this.
[43:56.130 --> 43:58.830]  Even non-developers people, non-tech people.
[43:58.830 --> 44:06.710]  You could definitely imagine a product owner or anyone just like, you have this file and you can actually start tweaking a couple of parameters.
[44:06.730 --> 44:08.870]  This is something that we can do.
[44:08.870 --> 44:19.570]  And even though you can tweak the parameters, if anyone is just going wrong, you can see that there are a couple of checks that Stanislas developed to make sure to give some insights about,
[44:19.570 --> 44:21.970]  okay, it failed, but why does it fail?
[44:21.970 --> 44:29.150]  And okay, so it's got an enumeration and you can only choose from those specific values.
[44:29.250 --> 44:36.810]  But anyway, so those are, I would say, the lesson learned from having an offensive tool and putting it into developers' hands.
[44:37.790 --> 44:43.210]  We do have a couple of references and obviously we're just on the shoulder of giants.
[44:43.210 --> 44:51.070]  And I think that those specific links are quite valuable, especially with what we try to build.
[44:51.070 --> 44:57.830]  And I think that those talks and those blog posts are actually similar to the mindset that we have.
[44:57.830 --> 45:02.390]  So first of all, and we talked about it with cracking the lens from James Cato.
[45:02.390 --> 45:14.710]  And I think it's interesting in terms of the scope he has, taking everything from the bug bounty platform and having hypotheses and running it and seeing if it triggers anything or not.
[45:14.710 --> 45:19.630]  The second one is the keynote from the STIC. STIC is a French conference in France.
[45:19.630 --> 45:26.110]  And we had the privilege to have Alex Ionescu in 2019 speaking about security with developers.
[45:26.110 --> 45:43.570]  He started dealing with Rust and a bunch of things like this where he was actually launching the debate about should developers keep up with the compilation flags to avoid having any kind of memory corruption errors, etc.
[45:43.750 --> 45:49.830]  And it's an interesting discussion. I think that might have some English subtitles because the talk is in French.
[45:49.830 --> 45:54.990]  But definitely something that I would consider to watch afterwards.
[45:54.990 --> 45:58.310]  The last two are actually from Harold Meir.
[45:58.850 --> 46:03.850]  And two great conferences talks. The first one, learning the wrong lessons from offense.
[46:03.850 --> 46:08.490]  And the second one from B-Sides Doha, which is make more stuff.
[46:08.650 --> 46:11.610]  And this was oriented to security people.
[46:12.050 --> 46:16.650]  So those four references are absolutely awesome.
[46:16.650 --> 46:21.770]  And we recommend you to watch them. It's worth the watch, definitely.
[46:23.370 --> 46:27.490]  So thanks a lot. Thanks a lot for your time. Thanks a lot for watching.
[46:27.570 --> 46:33.390]  Feel free to check our GitHub if you want to follow the project and start collaborating with us.
[46:33.390 --> 46:41.510]  And if we do have one advice, embrace hackiness, have fun and collaborate with your organization to make it more secure.
[46:41.930 --> 46:43.890]  Cheers. Bye.
